Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
Building on the successfully merged PR #109, goal is to add a plethora of more kernel modules to be blacklisted by default based largely on the Ubuntu defaults.
Overall, this blacklists their automatic loading but does NOT permanently disable them in order to reduce the likelihood of compatibility issues.
I am not deeply familiar with the intricacies of each of these modules and so if others in the community are more knowledgeable, maybe we could begin permanently disabling them over time just to be safe.
Furthermore, due to intended future compatibility with ISOs, we decided not to disable CD-ROM by default. Instead what if we simply blacklist the modules so they are only loaded on demand?
Also as there is a strict distinction between “disable” permanently and “blacklist” automatic loading, the comments were also correspondingly updated. Perhaps we should make is difference clearer throughout the whole project?
raja-grewal
commented
2 years ago
Building on the successfully merged PR #109, goal is to add a plethora of more kernel modules to be blacklisted by default based largely on the Ubuntu defaults.
https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/13
Overall, this blacklists their automatic loading but does NOT permanently disable them in order to reduce the likelihood of compatibility issues.
I am not deeply familiar with the intricacies of each of these modules and so if others in the community are more knowledgeable, maybe we could begin permanently disabling them over time just to be safe.
Furthermore, due to intended future compatibility with ISOs, we decided not to disable CD-ROM by default. Instead what if we simply blacklist the modules so they are only loaded on demand?
Also as there is a strict distinction between “disable” permanently and “blacklist” automatic loading, the comments were also correspondingly updated. Perhaps we should make is difference clearer throughout the whole project?